- if(flags & FLAG_NR_AR_ATTACK ) {
- if(ar_nr_collected < 2){
- // Avoid duplicates... probably not necessary, nr should vary.
- //if(ar_nr_responses[3] != nr){
- ar_nr_responses[ar_nr_collected*5] = 0;
- ar_nr_responses[ar_nr_collected*5+1] = 0;
- ar_nr_responses[ar_nr_collected*5+2] = nonce;
- ar_nr_responses[ar_nr_collected*5+3] = nr;
- ar_nr_responses[ar_nr_collected*5+4] = ar;
- ar_nr_collected++;
- //}
- }
-
- if(ar_nr_collected > 1 ) {
-
- if (MF_DBGLEVEL >= 2) {
- Dbprintf("Collected two pairs of AR/NR which can be used to extract keys from reader:");
- Dbprintf("../tools/mfkey/mfkey32 %07x%08x %08x %08x %08x %08x %08x",
- ar_nr_responses[0], // UID1
- ar_nr_responses[1], // UID2
- ar_nr_responses[2], // NT
- ar_nr_responses[3], // AR1
- ar_nr_responses[4], // NR1
- ar_nr_responses[8], // AR2
- ar_nr_responses[9] // NR2
- );
- Dbprintf("../tools/mfkey/mfkey32v2 %06x%08x %08x %08x %08x %08x %08x %08x",
- ar_nr_responses[0], // UID1
- ar_nr_responses[1], // UID2
- ar_nr_responses[2], // NT1
- ar_nr_responses[3], // AR1
- ar_nr_responses[4], // NR1
- ar_nr_responses[7], // NT2
- ar_nr_responses[8], // AR2
- ar_nr_responses[9] // NR2
- );
+ // Collect AR/NR per keytype & sector
+ if ( (flags & FLAG_NR_AR_ATTACK) == FLAG_NR_AR_ATTACK ) {
+ for (uint8_t i = 0; i < ATTACK_KEY_COUNT; i++) {
+ if ( ar_nr_collected[i+mM]==0 || ((cardAUTHSC == ar_nr_resp[i+mM].sector) && (cardAUTHKEY == ar_nr_resp[i+mM].keytype) && (ar_nr_collected[i+mM] > 0)) ) {
+ // if first auth for sector, or matches sector and keytype of previous auth
+ if (ar_nr_collected[i+mM] < 2) {
+ // if we haven't already collected 2 nonces for this sector
+ if (ar_nr_resp[ar_nr_collected[i+mM]].ar != ar) {
+ // Avoid duplicates... probably not necessary, ar should vary.
+ if (ar_nr_collected[i+mM]==0) {
+ // first nonce collect
+ ar_nr_resp[i+mM].cuid = cuid;
+ ar_nr_resp[i+mM].sector = cardAUTHSC;
+ ar_nr_resp[i+mM].keytype = cardAUTHKEY;
+ ar_nr_resp[i+mM].nonce = nonce;
+ ar_nr_resp[i+mM].nr = nr;
+ ar_nr_resp[i+mM].ar = ar;
+ nonce1_count++;
+ // add this nonce to first moebius nonce
+ ar_nr_resp[i+ATTACK_KEY_COUNT].cuid = cuid;
+ ar_nr_resp[i+ATTACK_KEY_COUNT].sector = cardAUTHSC;
+ ar_nr_resp[i+ATTACK_KEY_COUNT].keytype = cardAUTHKEY;
+ ar_nr_resp[i+ATTACK_KEY_COUNT].nonce = nonce;
+ ar_nr_resp[i+ATTACK_KEY_COUNT].nr = nr;
+ ar_nr_resp[i+ATTACK_KEY_COUNT].ar = ar;
+ ar_nr_collected[i+ATTACK_KEY_COUNT]++;
+ } else { // second nonce collect (std and moebius)
+ ar_nr_resp[i+mM].nonce2 = nonce;
+ ar_nr_resp[i+mM].nr2 = nr;
+ ar_nr_resp[i+mM].ar2 = ar;
+ if (!gettingMoebius) {
+ nonce2_count++;
+ // check if this was the last second nonce we need for std attack
+ if ( nonce2_count == nonce1_count ) {
+ // done collecting std test switch to moebius
+ // first finish incrementing last sample
+ ar_nr_collected[i+mM]++;
+ // switch to moebius collection
+ gettingMoebius = true;
+ mM = ATTACK_KEY_COUNT;
+ break;
+ }
+ } else {
+ moebius_n_count++;
+ // if we've collected all the nonces we need - finish.
+ if (nonce1_count == moebius_n_count) {
+ cmd_send(CMD_ACK,CMD_SIMULATE_MIFARE_CARD,0,0,&ar_nr_resp,sizeof(ar_nr_resp));
+ nonce1_count = 0;
+ nonce2_count = 0;
+ moebius_n_count = 0;
+ gettingMoebius = false;
+ }
+ }
+ }
+ ar_nr_collected[i+mM]++;
+ }
+ }
+ // we found right spot for this nonce stop looking
+ break;
+ }